Case Details
- Citation: [2018] SGPDPC 23
- Court: Personal Data Protection Commission
- Date: 2018-09-27
- Judges: Tan Kiat How, Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: GrabCar Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation, Data Protection – Personal Data
- Statutes Referenced: Road Traffic Act, Road Traffic Act (Cap. 276), Terms and Conditions or Code
- Cases Cited: [2016] SGPDPC 17, [2016] SGPDPC 18, [2017] SGPDPC 18, [2018] SGPDPC 23
- Judgment Length: 11 pages, 2,697 words
Summary
This case involves the unauthorized disclosure of the personal data of GrabHitch drivers in a Google Forms survey created by GrabCar Pte. Ltd. (the "Organisation"). The Personal Data Protection Commission (the "Commission") found that the Organisation breached its obligations under the Personal Data Protection Act (PDPA) to protect the personal data of the GrabHitch drivers. The Commission determined that the Organisation failed to implement reasonable security arrangements to prevent the unauthorized access and disclosure of the drivers' personal data.
What Were the Facts of This Case?
The Organisation is the provider of the GrabHitch service, a paid carpooling service that matches individual non-commercial private car owners ("Hitch Drivers") with people who are commuting along the same route. In accordance with the Organisation's Driver's Code of Conduct, Hitch Drivers who fail to comply with the Terms and Conditions or Code of Conduct may be penalized through account deactivation, the withholding, reduction or forfeit of driver incentives or credits, suspension or permanent banning.
At the time of the incident, the Organisation had suspended the accounts of 20 Hitch Drivers for various offenses such as unacceptable behavior and/or usage of the platform. These Hitch Drivers had appealed their suspensions. The Organisation created a "GrabHitch SG Appeal Form" using Google Forms to allow the Hitch Drivers to submit an appeal and for the Organisation to contact them for further investigation.
The Hitch Drivers whose accounts had been suspended were able to access the Google Form on 16 June 2017. They were required to fill up fields in the Google Form including their name, NRIC number, mobile number, vehicle plate, and an appeal statement. However, due to an incorrect setting chosen by the employee responsible for uploading the Google Form, all Hitch Drivers who had submitted the form were able to view all the appeal data, including the personal data of the other Hitch Drivers who had appealed.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether the information disclosed in the Google Form constituted personal data under the PDPA.
2. Whether the Organisation breached its obligations under section 24 of the PDPA to protect the personal data in its possession or under its control.
How Did the Court Analyse the Issues?
On the first issue, the Commission found that the information disclosed in the Google Form, including the Hitch Drivers' names, NRIC numbers, mobile numbers, vehicle plate numbers, and appeal statements, constituted personal data as defined in the PDPA. The Commission noted that the Organisation had alleged that some of the Hitch Drivers were suspended for "gaming" the system, which suggested serious allegations of fraudulent intent. The Commission held that the Organisation should have treated such personal data with appropriate care, given the serious nature of the allegations.
The Commission also considered that two of the 20 Hitch Drivers were also GrabCar drivers. The Commission found that the names and mobile phone numbers of these two GrabCar drivers could be considered "business contact information" under the PDPA, and therefore not subject to the data protection obligations. However, their NRIC numbers would not fall within the definition of business contact information.
On the second issue, the Commission found that the Organisation had breached its obligations under section 24 of the PDPA to protect the personal data of the Hitch Drivers. The Commission noted that the incident occurred because the employee responsible for uploading the Google Form had chosen the incorrect setting, allowing all Hitch Drivers to view the appeal data. At the time of the incident, the Organisation did not have any policies or procedures to guide its employees on the use of Google Forms to collect personal data, nor did it provide any training.
The Commission emphasized that the Organisation had a responsibility to ensure it had a sufficient understanding and appreciation of the product (Google Forms) before using it to collect, use, and disclose personal data. The Commission drew a parallel to the case of Re GMM Technoworld Pte. Ltd. [2016] SGPDPC 18, where an organization's misunderstanding and incorrect use of a third-party plug-in resulted in the unauthorized disclosure of personal data.
What Was the Outcome?
The Commission found that the Organisation had breached its obligations under section 24 of the PDPA to protect the personal data of the Hitch Drivers. The Commission directed the Organisation to implement the following measures:
- Develop and implement a data protection policy that includes guidelines on the use of third-party tools and platforms to collect, use, and disclose personal data.
- Provide training to its employees on the proper use of third-party tools and platforms for handling personal data.
- Conduct a review of its existing processes and implement appropriate measures to prevent a recurrence of similar incidents.
The Commission did not impose a financial penalty on the Organisation, as it found that the Organisation had cooperated fully with the investigation and had taken prompt remedial actions to address the incident.
Why Does This Case Matter?
This case is significant for several reasons:
1. It reinforces the importance of organizations having a clear understanding of the tools and platforms they use to collect, use, and disclose personal data. Organizations cannot simply rely on third-party tools without ensuring they have the proper policies, procedures, and training in place to handle personal data securely.
2. The case highlights the need for organizations to treat personal data with appropriate care, especially when the data may involve serious allegations or implications for the individuals concerned.
3. The case provides guidance on the scope of "business contact information" under the PDPA, and the circumstances in which such information may be exempt from the data protection obligations.
4. The case demonstrates the Commission's willingness to hold organizations accountable for breaches of the PDPA, even in the absence of a financial penalty, by requiring the implementation of remedial measures to prevent similar incidents in the future.
Legislation Referenced
- Road Traffic Act
- Road Traffic Act (Cap. 276)
- Personal Data Protection Act (PDPA)
Cases Cited
- [2016] SGPDPC 17 (Re Comfort Transportation Pte Ltd and another)
- [2016] SGPDPC 18 (Re GMM Technoworld Pte. Ltd.)
- [2017] SGPDPC 18
- [2018] SGPDPC 23 (GrabCar Pte. Ltd.)
Source Documents
This article analyses [2018] SGPDPC 23 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.